DFIR Reference Frameworks Save

Repository of public reference frameworks for the DFIR community.

Project README

DFIR Reference Frameworks

This repository is intended to provide a public reference to frameworks directly relevant to the DFIR community. It's common for the DFIR community to use terminology that isn't always well defined in the documentation they produce. This repository aims to help the DFIR community, and those reading information from the DFIR community, have a better understanding of defined terms and a more consistent approach to the language used in documentation.

Given the DFIR community is not a regulated industry, it's not common to find academic peer-reviewed papers for the majority of the topics below. For this reason, the Frameworks provided below are considered commonly used/accepted within the industry, or originate from well-known educational resrouces. This repository is not intended as a reference location to individual vendor methodologies. Any changes submitted need to show that the source meets these requirements.

Use of this Repository

You're welcome, and I encourage, you to use the references provided below. All I ask is if you find other useful references you drop me an Issue with the link and why you think it's useful, so I can add it for others to benefit from. Additoinally, if you really enjoy using these references, shoot me an email or a message just to let me know this was useful....that's it, enjoy.

Incident Response

Description Author Link
Identification and Prevention of Cyber Activity Lockheed Martin The Cyber Kill Chain
Adversary Tactics and Techniques Categorisation MITRE ATT&CK Matrix
Sensitive Information Sharing/Classification FIRST.org Traffic Light Protocal
Event and Incident Vocabulary Verizon The Vocabulary for Event Recording and Incident Sharing (VERIS)
Detection Indicators Usefulness David J Bianco The Pyramid of Pain
Capabilities to Defend an Organization Matt Swann The Incident Response Hierarchy of Needs
DFIR Reporting Lenny Zeltser Report Template for Threat Intelligence and Incident Response
Incident Response Framework for OT Systems Chris Sistrunk, Ken Proska, Glen Chason, Daniel Kapellmann Introducing Mandiant's Digital Forensics and Incident Response Framework for Embedded OT Systems

Malware Analysis

Description Author Link
Malware Analysis Process Lenny Zeltser How You Can Start Learning Malware Analysis
Sharing Malware Samples Lenny Zeltser How to Share Malware Samples With Other Researchers

Threat Intelligence

Description Author Link
CTI Source Analysis/Assessment Framework Sergio Caltagirone, Andrew Pendergast, Christopher Betz The Diamond Model of Intrusion Analysis
CTI Likelihood and Confidence Taxonomies MISP MISP Estimative Language
CTI Structured Language MITRE Structured Threat Information Expression (STIX™)
Transport Framework for Sharing CTI MITRE Trusted Automated Exchange of Intelligence Information (TAXII™)
Assessing CTI Feeds Value Kimberly K. Watson Assessing The Potential Value Of Cyber Threat Intelligence (CTI) Feeds

Proactive Response

Description Author Link
Modeling Security Threats Bruce Schneier Attack Trees
Theat Modelling Framework Microsoft The STRIDE Threat Model
Vulnerability Scoring Framework FIRST.org Common Vulnerability Scoring System

Threat Hunting

Description Author Link
TTP-Based Hunting Methodology MITRE TTP-Based Hunting
Cyber Threat Hunting Model Dan Gunter A Practical Model for Conducting Cyber Threat Hunting
Threat Hunting Scenarios @ThreatHuntProj The Threat Hunting Project

Insider Threat

Description Author Link
Detecting and Identifying Insider Threats and Methodology CISA Detecting and Identifying Insider Threats
Whitepaper on Behaviour Indicators of Insider Threats Eric D. Shaw, Ph.D. and Harley V. Stock, Ph.D Behavioral Risk Indicators of Malicious Insider Theft of Intellectual Property: Misreading the Writing on the Wall
An Insider Threat Indicator Ontology Research Papaer Carnegie Mellon University An Insider Threat Indicator Ontology
Insider Threat Detection Case Study NATO Insider Threat Detection Study
Insider Threat Detection and Approach from CrowdStrike Venu Shastri - CrowdStrike Detecting Insider Threat Indicators
Insider Threat Detection for the Cloud Dave Shackleford How to Build a Detection and Response Strategy for Insider Threats

Digital Forensics

Description Author Link
Open Source Agenda is not affiliated with "DFIR Reference Frameworks" Project. README Source: joshlemon/DFIR-Reference-Frameworks
Open Issues
Last Commit
9 months ago

Open Source Agenda Badge

Open Source Agenda Rating